The impact of the SolarWinds Orion attack is staggering. The newly discovered Hafnium/Microsoft breach looks to be potentially just as wide reaching.
However, these are only the latest attacks in which US companies and agencies will be struggling for years with how compromised they are. It serves as reminder that malicious cyber campaigns are persistent and relentless.
Unfortunately, it’s also a reminder that the US government cannot simply use the rule of law to indict its way out of the advanced persistent threats. Organizations must look for other, more proactive ways to fight and prevent this type of attack. The Cyberspace Solarium Commission recommends incorporating a defend forward stance as a component of achieving a layered defense.
Defend forward is a posture that seeks to gain early understanding and warnings of attacker activity, instead of waiting for a breach to happen and then dealing with the consequences.
This posture means stopping cyberattacks before they become reality. It requires monitoring of adversaries outside of a network, collecting data on their targets and techniques, and when done correctly, it gives a security team all the information they need to defend against future attacks. Defend forward also aims to impose costs on adversaries with the aim of disrupting their campaigns and deterring future campaigns.
The cybersecurity threat landscape is ever evolving, and we must adapt to threat. We can do that by thinking like the adversary. Understand that there are new technologies that allow companies to proactively protect their most precious assets. Reassess the threat intel feeds you are relying upon—are they providing mere generic intelligence or actual, tailored actionable intelligence?
The Origin of Defend Forward
Since the DoD introduced a defend forward stance in its 2018 DoD Cyber Strategy1, the idea of proactive cyber defense has been a given in the upper echelon of nation-state cyber strategy. The DoD, in this original document, defines defending forward as “leveraging our focus outward to stop threats before they reach their targets”.
The first mention of the defend forward theory is the following:
“We will defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict. We will strengthen the security and resilience of networks and systems that contribute to current and future U.S. military advantages.”
And the document goes on to say:
“The department will counter cyber campaigns threatening U.S. military advantage by defending forward to intercept and halt cyber threats and by strengthening the cybersecurity of systems and networks that support DoD missions.” Since the mention of defend forward in this document, it has been leveraged by many other governmental bodies and even private corporations. For those who have the capacity, it is the immediate future of cybersecurity.
What is Defend Forward?
Defend forward is the idea that, instead of waiting for an attack and remaining on the defensive, an organization will go beyond their own network to perform reconnaissance and even interact with potential threat actors.
As the saying goes, attackers only have to be right one time, while defenders must be right 100% of the time.
By rejecting the sole stance of passive defender and taking on the role of active defender, an organization can augment their security posture and take back control.
The Basics of the Defend Forward Stance
Defend forward as a concept has multiple facets, especially when applied in a military context.
Persistent Engagement: Competing with adversaries by disrupting and constantly foiling their capabilities to mount cyberattacks is one of defend forward’s main goals.
Ability to Defend: Defending forward also necessitates equipping oneself with the ability to fight digital “wars” in order to halt malicious activity.
Operation Outside of Networks: Defend forward is a license to operate outside of your own network. To successfully defend against attackers, you need to be where they are.
Observation in Their Habitat: The advantage offered by observing adversaries as they maneuver cannot be overstated. Understanding their TTPs, capabilities, and personas requires access to networks and systems where adversaries operate.
The U.S. government believes that this proactive approach will be so costly and damaging to adversaries that they will be deterred from initiating conflict.
Defend Forward in Cybersecurity
Defend forward necessitates a shift from a defensive cybersecurity posture to a proactive one. Most organizations, however, are accustomed to merely reacting. And many of these organizations don’t even get the chance to react until the damage has already been done, as is the case with the ubiquitous ransomware attack.
The only real tool that exists to engage an adversary in your networks is deception technology. By using advanced deception technology (i.e., not just honeypots), you can create a deception environment that looks convincingly like the real thing. This immediately puts the attacker on your terms, and gives you the upper hand.
Your goal should be to get them to doubt everything, question anything they see and have their behavior fully shaped by your engagement with them in the deception environment.
This will drive the cost and resource value up, creating a hostile environment for attackers and keeping you safe.
- – Read The Business Case for Defend Forward, part II in this series >
- – Find out how to take defend forward operational here, at part III in this series >
Luke Wilson is VP of Operations and Partnerships at CounterCraft, with extensive experience in cyber threat intelligence and cryptocurrency investigations, and is on LinkedIn.